Filtering Controls

While you will most commonly want to run all the controls in a benchmark, there are times when you want to only run single control, or filter the controls to run in a benchmark.

Filtering by Control Tags

You can filter controls by the control tags. For example, to run the controls in the cis_v150 benchmark that have tags cis_level=1 and benchmark=cis:

This filter works with all as well:

Filtering with --where

You can also filter the controls to run using a where clause on the properties of the benchmark.

You can preview which controls will run with the --dry-run flag:

Running specific controls

You can run a single control at a time with the powerpipe control command.

You can list the controls:

And run them by name, similar to benchmarks:

Unlike benchmarks, some controls may define parameters. You can pass values for them using one or more --arg arguments:

If the parameters are unnamed, you can pass values for them without specifying a name. The args will be passed to the query in order - the first --arg as $1, the second as $2, etc.: